07-19-2011 03:30 AM - edited 03-07-2019 01:16 AM
Hello,
I am having few issues implementing a suggested requirement in my company.
Requirement -
I am using catalyst 2960 switches.
Now the network has to be divided into three VLANs namely VLAN1, VLAN2 and VLAN3 which is ok.
After this a control needs to be applied in the sense that
VLAN1 can access VLAN2 and VLAN3 but VLAN2 and VLAN3 should not access VLAN1.
VLAN2 can only access VLAN3 but VLAN3 should not access VLAN2.
That means,
VLAN1 can access VLAN2 (not vice versa)
VLAN1 can access VLAN3 (not vice versa)
VLAN2 can access VLAN3 (not vice versa)
Now how to implement above I don't have any clue.
Please if anyone can provide any solution to the above mentioned requirement it will be of great help. Thanks in advance.
Solved! Go to Solution.
07-19-2011 05:51 AM
Easier to implement would be reflexive acl on 6500 because you don't have to move the L3 vlan interfaces to the ASA and setup subinterfaces etc.
There is a lot less config to do on the 6500 than there is if you go with the ASA setup.
Jon
07-19-2011 04:10 AM
Hi,
What I understand is that Vlan1 can access anything.
Vlan2 can access only Vlan3 but Vlan3 should not access Vlan2
Please find the below config for the above.
interface vlan 1
ip address 192.168.1.1 255.255.255.0
ip access group vlan1 in
interface vlan 2
ip address 192.168.2.1 255.255.255.0
ip access group vlan2 in
interface vlan 3
ip address 192.168.3.1 255.255.255.0
ip access-list extended vlan1
permit ip any any
ip access-list extended vlan2
permit ip any 192.168.2.0 0.0.0.255
deny ip any any
 
Regarding from Vlan3 what needs to be access?
Please rate the helpfull posts.
Regards,
Naidu.
07-19-2011 04:24 AM
Hi Naidu,
Thanks for your reply.
VLAN3 is kept for guest access which I think merely for internet only and no internal network access is to be provided to the guests.
Let me try that stuff suggested by you and then i will return to you soon with my result. God bless.
07-19-2011 04:48 AM
Hi Prateek,
Please remember to rate all the posts which encourage others in this forum.
So for Vlan3 now you can define rules like below...
interface vlan 3
ip address 192.168.3.1 255.255.255.0
ip access group vlan3 in
ip access-list extended vlan2
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.3.0 any 
Please rate the helpfull posts.
Regards,
Naidu.
07-19-2011 04:56 AM
Naidu
The acl on vlan 3 will block return traffic to vlan 2 so vlan 2 will no longer be able to access vlan 3.
Jon
07-19-2011 04:46 AM
Naidu
interface vlan 2
ip address 192.168.2.1 255.255.255.0
ip access group vlan2 in
ip access-list extended vlan2
permit ip any 192.168.2.0 0.0.0.255
deny ip any any
you have lost me on that one If the acl is inbound then the source IPs would 192.168.2.x so i'm not sure how that would work.
To the OP, it's difficult to do because as far as i know the 2960 does not support reflexive acls. The problem you have is that you want vlan 2 to be able to access vlan 3 but not the other way round. Using normal acls won't allow you to do this because if you apply an acl to vlan 3 denying traffic to vlan 2 then the return traffic to vlan 2 will also be denied.
So you need either reflexive acls, a firewall, or you need to rethink the access.
Jon
07-19-2011 05:00 AM
Hi Jon,
Thanks for your reply.
Actually my main problem is that only. VLAN2 and VLAN3 should not access VLAN1 and VLAN3 should not access VLAN2 as well.
I am also using ASA Adaptive Security Appliance. So can such a policy be created on ASA where VLAN1 can access VLAN2 but VLAN2 cannot access VLAN1 ??
07-19-2011 05:08 AM
If you simply wanted to stop vlan 2 and vlan 3 from accessing vlan 1 and vlan 3 from accessing vlan 2 then you could use acls. But if you also want to allow vlan 2 and vlan 1 to access vlan 3 then that is where the problems come in.
If you do need this sort of access then yes an ASA would indeed do this for you but you would need to route the vlans off the ASA ie. you would only have the vlans at L2 on the switch and you would remove the L3 SVIs (interface vlan xx) from the 2960 switch.
Then you could connect the ASA to the 2960 switch with a 802.1q trunk and use subinterfaces on the ASA inside interface, one for each vlan. You can then setup access as you need. A stateful firewall will allow return traffic by default so this would solve your problem ie. you can deny access to vlan 1 and vlan 2 on the vlan 3 subinterface but allow traffic to vlan 3 on the vlan 2 subinterface. Return traffic from vlan 2 would then be allowed because the return traffic is not checked against the vlan 3 subinterface acl.
Jon
07-19-2011 05:17 AM
Hi Jon,
Thnaks for your reply.
The topology is like a core switch 6509 aggregating thirteen 2960 switches and also the ASA is attached to the core switch. So i think inter-VLAN routing is already taken care of as I all the L2 switches are attached directly to the L3 core switch. Am I right ??
07-19-2011 05:23 AM
Is the 6500 doing all the inter-vlan routing for vlan 1,2 & 3 ?
If so then the 6500s do support reflexive acls so you could use those. Reflexive acls are a sort of halfway house between standard acls and a full stateful firewall. But they would allow you to setup the sort of access you want. See this link on how to configure reflexive acls -
http://www.cisco.com/en/US/customer/docs/ios/12_2/security/configuration/guide/scfreflx.html
Jon
07-19-2011 05:36 AM
Hi Jon,
Thanks for your reply.
You are closing in on the problem statement I guess. Nice
Since I am not using any router and all the L2 switches are directly connected to the Core switch so i 6500 core switch will be taking care of all the inter VLAN routing.
Now which one do you think will be faster n easier ? Implementing VLAN ACLs on core switch or implementing policy on ASA.
07-19-2011 05:51 AM
Easier to implement would be reflexive acl on 6500 because you don't have to move the L3 vlan interfaces to the ASA and setup subinterfaces etc.
There is a lot less config to do on the 6500 than there is if you go with the ASA setup.
Jon
07-19-2011 05:54 AM
Thanks a ton Jon n Naidu. god bless.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide